Generate a SAS token server side in C# or client side in Javascript with my ASP.Net MVC site [closed]
up vote
1
down vote
favorite
I have a ASP.Net MVC site where I have my client side javascript files calling on a Azure storage table to read data.
I thought, for extra security, I would implement a shared access signature(SAS) when performing the query, so I generate one when the user logs in and it gets saved into a Session variable.
Question 1 - if the data the client is fetching isn't sensitive (just chat messages), is a SAS token even needed? I don't have the client side doing anything but reading. So if I don't use a SAS token will hackers be able to write and delete, etc.?
Question 2 - In the MS docs you can generate the SAS key in C#, which is what I'm doing. Then I save the SAS key in a Session variable for each user, which gets put into a hidden field on the pages where it is needed. This seems to work ok so far, but looking at the Node.js docs it looks like I can generate the key client side!! If I have a ASP.Net MVC site, should I be generating the SAS key client side instead of server side?
javascript asp.net-mvc
azure azure-storage edited Nov 11 at 16:39
Richard
7,38321125
asked Nov 10 at 22:13
user1186050
2,075933107
closed as primarily opinion-based by TylerH, Matthew L Daniel, Tân Nguyễn, stealthyninja, Mark Rotteveel Nov 11 at 11:37
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
up vote
1
down vote
favorite
I have a ASP.Net MVC site where I have my client side javascript files calling on a Azure storage table to read data.
I thought, for extra security, I would implement a shared access signature(SAS) when performing the query, so I generate one when the user logs in and it gets saved into a Session variable.
Question 1 - if the data the client is fetching isn't sensitive (just chat messages), is a SAS token even needed? I don't have the client side doing anything but reading. So if I don't use a SAS token will hackers be able to write and delete, etc.?
Question 2 - In the MS docs you can generate the SAS key in C#, which is what I'm doing. Then I save the SAS key in a Session variable for each user, which gets put into a hidden field on the pages where it is needed. This seems to work ok so far, but looking at the Node.js docs it looks like I can generate the key client side!! If I have a ASP.Net MVC site, should I be generating the SAS key client side instead of server side?
javascript asp.net-mvc
azure azure-storage edited Nov 11 at 16:39
Richard
7,38321125
asked Nov 10 at 22:13
user1186050
2,075933107
closed as primarily opinion-based by TylerH, Matthew L Daniel, Tân Nguyễn, stealthyninja, Mark Rotteveel Nov 11 at 11:37
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I have a ASP.Net MVC site where I have my client side javascript files calling on a Azure storage table to read data.
I thought, for extra security, I would implement a shared access signature(SAS) when performing the query, so I generate one when the user logs in and it gets saved into a Session variable.
Question 1 - if the data the client is fetching isn't sensitive (just chat messages), is a SAS token even needed? I don't have the client side doing anything but reading. So if I don't use a SAS token will hackers be able to write and delete, etc.?
Question 2 - In the MS docs you can generate the SAS key in C#, which is what I'm doing. Then I save the SAS key in a Session variable for each user, which gets put into a hidden field on the pages where it is needed. This seems to work ok so far, but looking at the Node.js docs it looks like I can generate the key client side!! If I have a ASP.Net MVC site, should I be generating the SAS key client side instead of server side?
javascript asp.net-mvc
azure azure-storage edited Nov 11 at 16:39
Richard
7,38321125
asked Nov 10 at 22:13
user1186050
2,075933107
I have a ASP.Net MVC site where I have my client side javascript files calling on a Azure storage table to read data.
I thought, for extra security, I would implement a shared access signature(SAS) when performing the query, so I generate one when the user logs in and it gets saved into a Session variable.
Question 1 - if the data the client is fetching isn't sensitive (just chat messages), is a SAS token even needed? I don't have the client side doing anything but reading. So if I don't use a SAS token will hackers be able to write and delete, etc.?
Question 2 - In the MS docs you can generate the SAS key in C#, which is what I'm doing. Then I save the SAS key in a Session variable for each user, which gets put into a hidden field on the pages where it is needed. This seems to work ok so far, but looking at the Node.js docs it looks like I can generate the key client side!! If I have a ASP.Net MVC site, should I be generating the SAS key client side instead of server side?
javascript asp.net-mvc
azure azure-storage javascript asp.net-mvc
azure azure-storage edited Nov 11 at 16:39
Richard
7,38321125
asked Nov 10 at 22:13
user1186050
2,075933107
edited Nov 11 at 16:39
Richard
7,38321125
asked Nov 10 at 22:13
user1186050
2,075933107
edited Nov 11 at 16:39
Richard
7,38321125
edited Nov 11 at 16:39
Richard
7,38321125
edited Nov 11 at 16:39
Richard
7,38321125
7,38321125
asked Nov 10 at 22:13
user1186050
2,075933107
asked Nov 10 at 22:13
user1186050
2,075933107
asked Nov 10 at 22:13
user1186050
2,075933107
2,075933107
closed as primarily opinion-based by TylerH, Matthew L Daniel, Tân Nguyễn, stealthyninja, Mark Rotteveel Nov 11 at 11:37
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
closed as primarily opinion-based by TylerH, Matthew L Daniel, Tân Nguyễn, stealthyninja, Mark Rotteveel Nov 11 at 11:37
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
Question 1 - if the data the client is fetching isn't sensitive (just
chat messages), is a SAS token even needed? I don't have the client
side doing anything but reading. So if I don't use a SAS token will
hackers be able to write and delete, etc.?
Yes. Each request to Azure Table Storage needs to be authorized. There are two ways to do that: 1) Generate authorization token using account key or 2) Use SAS token. SAS tokens will enable you to provide time-bound, granular permissions (read, add, delete etc.) for your table resources.
Question 2 - In the MS docs you can generate the SAS key in C#, which
is what I'm doing. Then I save the SAS key in a Session variable for
each user, which gets put into a hidden field on the pages where it is
needed. This seems to work ok so far, but looking at the Node.js docs
it looks like I can generate the key client side!! If I have a ASP.Net
MVC site, should I be generating the SAS key client side instead of
server side?
SAS key should be generated on the server side. To generate SAS token, you would need account key. If you were to generate SAS token on the client side, you would need to share your account key on the client side which is a BIG security risk as anybody can do a view source and find the account key.
answered Nov 11 at 2:22
Gaurav Mantri
70.9k8108133
Hi Gaurav. How where do I generate a authorization token that isn't time specific that will allow just read access to my azure table? I can't seem to figure it out in my dashboard.
– user1186050
Nov 12 at 22:02
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
Question 1 - if the data the client is fetching isn't sensitive (just
chat messages), is a SAS token even needed? I don't have the client
side doing anything but reading. So if I don't use a SAS token will
hackers be able to write and delete, etc.?
Yes. Each request to Azure Table Storage needs to be authorized. There are two ways to do that: 1) Generate authorization token using account key or 2) Use SAS token. SAS tokens will enable you to provide time-bound, granular permissions (read, add, delete etc.) for your table resources.
Question 2 - In the MS docs you can generate the SAS key in C#, which
is what I'm doing. Then I save the SAS key in a Session variable for
each user, which gets put into a hidden field on the pages where it is
needed. This seems to work ok so far, but looking at the Node.js docs
it looks like I can generate the key client side!! If I have a ASP.Net
MVC site, should I be generating the SAS key client side instead of
server side?
SAS key should be generated on the server side. To generate SAS token, you would need account key. If you were to generate SAS token on the client side, you would need to share your account key on the client side which is a BIG security risk as anybody can do a view source and find the account key.
answered Nov 11 at 2:22
Gaurav Mantri
70.9k8108133
Hi Gaurav. How where do I generate a authorization token that isn't time specific that will allow just read access to my azure table? I can't seem to figure it out in my dashboard.
– user1186050
Nov 12 at 22:02
add a comment |
up vote
0
down vote
Question 1 - if the data the client is fetching isn't sensitive (just
chat messages), is a SAS token even needed? I don't have the client
side doing anything but reading. So if I don't use a SAS token will
hackers be able to write and delete, etc.?
Yes. Each request to Azure Table Storage needs to be authorized. There are two ways to do that: 1) Generate authorization token using account key or 2) Use SAS token. SAS tokens will enable you to provide time-bound, granular permissions (read, add, delete etc.) for your table resources.
Question 2 - In the MS docs you can generate the SAS key in C#, which
is what I'm doing. Then I save the SAS key in a Session variable for
each user, which gets put into a hidden field on the pages where it is
needed. This seems to work ok so far, but looking at the Node.js docs
it looks like I can generate the key client side!! If I have a ASP.Net
MVC site, should I be generating the SAS key client side instead of
server side?
SAS key should be generated on the server side. To generate SAS token, you would need account key. If you were to generate SAS token on the client side, you would need to share your account key on the client side which is a BIG security risk as anybody can do a view source and find the account key.
answered Nov 11 at 2:22
Gaurav Mantri
70.9k8108133
Hi Gaurav. How where do I generate a authorization token that isn't time specific that will allow just read access to my azure table? I can't seem to figure it out in my dashboard.
– user1186050
Nov 12 at 22:02
add a comment |
up vote
0
down vote
up vote
0
down vote
Question 1 - if the data the client is fetching isn't sensitive (just
chat messages), is a SAS token even needed? I don't have the client
side doing anything but reading. So if I don't use a SAS token will
hackers be able to write and delete, etc.?
Yes. Each request to Azure Table Storage needs to be authorized. There are two ways to do that: 1) Generate authorization token using account key or 2) Use SAS token. SAS tokens will enable you to provide time-bound, granular permissions (read, add, delete etc.) for your table resources.
Question 2 - In the MS docs you can generate the SAS key in C#, which
is what I'm doing. Then I save the SAS key in a Session variable for
each user, which gets put into a hidden field on the pages where it is
needed. This seems to work ok so far, but looking at the Node.js docs
it looks like I can generate the key client side!! If I have a ASP.Net
MVC site, should I be generating the SAS key client side instead of
server side?
SAS key should be generated on the server side. To generate SAS token, you would need account key. If you were to generate SAS token on the client side, you would need to share your account key on the client side which is a BIG security risk as anybody can do a view source and find the account key.
answered Nov 11 at 2:22
Gaurav Mantri
70.9k8108133
Question 1 - if the data the client is fetching isn't sensitive (just
chat messages), is a SAS token even needed? I don't have the client
side doing anything but reading. So if I don't use a SAS token will
hackers be able to write and delete, etc.?
Yes. Each request to Azure Table Storage needs to be authorized. There are two ways to do that: 1) Generate authorization token using account key or 2) Use SAS token. SAS tokens will enable you to provide time-bound, granular permissions (read, add, delete etc.) for your table resources.
Question 2 - In the MS docs you can generate the SAS key in C#, which
is what I'm doing. Then I save the SAS key in a Session variable for
each user, which gets put into a hidden field on the pages where it is
needed. This seems to work ok so far, but looking at the Node.js docs
it looks like I can generate the key client side!! If I have a ASP.Net
MVC site, should I be generating the SAS key client side instead of
server side?
SAS key should be generated on the server side. To generate SAS token, you would need account key. If you were to generate SAS token on the client side, you would need to share your account key on the client side which is a BIG security risk as anybody can do a view source and find the account key.
answered Nov 11 at 2:22
Gaurav Mantri
70.9k8108133
answered Nov 11 at 2:22
Gaurav Mantri
70.9k8108133
answered Nov 11 at 2:22
Gaurav Mantri
70.9k8108133
answered Nov 11 at 2:22
Gaurav Mantri
70.9k8108133
70.9k8108133
Hi Gaurav. How where do I generate a authorization token that isn't time specific that will allow just read access to my azure table? I can't seem to figure it out in my dashboard.
– user1186050
Nov 12 at 22:02
add a comment |
Hi Gaurav. How where do I generate a authorization token that isn't time specific that will allow just read access to my azure table? I can't seem to figure it out in my dashboard.
– user1186050
Nov 12 at 22:02
Hi Gaurav. How where do I generate a authorization token that isn't time specific that will allow just read access to my azure table? I can't seem to figure it out in my dashboard.
– user1186050
Nov 12 at 22:02
Hi Gaurav. How where do I generate a authorization token that isn't time specific that will allow just read access to my azure table? I can't seem to figure it out in my dashboard.
– user1186050
Nov 12 at 22:02
add a comment |
